Windows PKI team always knows how to make our live harder :). Yesterday Shay Levy pointed me to one interesting thread: http://www.powergui.org/thread.jspa?messageID=47514

Basic intro: this attribute is used by Credential Roaming Service. By default if user uses roaming profile, credentials (and personal certificates) don’t roam! This means that user can use the same profile on other computers, but will not able to use certificates (i.e. decrypt files, mails, sign documents and so on). Though if certificate autoenrollment is enabled, user will enroll new certificates. But they will remain on that computer only. The one possible way to work around this issue is to use smart cards. But this is quite expensive solution. With Credential Roaming Service all certificates will roam with user. However this is not pretty secure solution, because domain administrators will have an access to user private keys. However at certain point domain users must trust administrators, so this solution is enough for many scenarios with roaming profiles.

Several days ago I have worked on one interesting issue:

Enterprise CA running on a Hyper-V virtual machine. Due of maintenance plans host server was rebooted. In the next day users were unable to logon to their workstations by using smart cards due of the error: A revocation check could not be performed for the certificate. Password users were unable to connect to terminal servers by using RDP-TLS protocol due of the same error.

In this article I would like to discuss about DateTime type encoding and decoding by using ASN.1 DER encoding rules. I have already posted similar explanations for other data types: ASN.1

As any other data type DateTime is encoded by using the following structure:

• Tag value. For DateTime must be 0x17
• Data length. For DateTime must be 0x0d (13).
• Actual encoded data.

For one of my project I was required to encode and decode CA certificate "CA Version" extension. The biggest problem is that there are no .NET or CryptoAPI interfaces that can do it.

CA Version abstract

CA Version extension is private Microsoft certificate extension and used in Windows PKI only. In addition, this extension exist only in CA certificate (where CA Type property of Basic Constraints extension is set to CA = True). End entity certificates never contains this extension. Main purpose of this certificate is to simplify CA server lifecycle. Sometimes CA certificate become expired and there are two choices to continue the work: build new CA from scratch or renew CA certificate (see related discussion about CA certificate renewal: Root CA certificate renewal). Though there are certain cases when CA requires to renew its own certificate prior to expiration. As the result CA server will maintain two signing certificates. Windows CA MUST publish CRLs for each valid signing key (not a certificate!). Since CA certificate can be renewed with existing key pair it is possible when CA server maintains multiple CA certificates and single CRL. Or CA server can maintain four CA certificates. Here is a great article that describes how CA Version extension works — Certification Authority Renewal.

Time at time I need to resolve Object Identifier (OID) to human-readable friendly name or get an OID if its OID is known. There are a lot of OIDs that are used in Internet PKI. In addition there may be custom OIDs that are defined (registered) within certain Active Directory forest. I can't remember all these OIDs and need a way to translate (or resolve) them. Even there are some online resources that provide a search in the OID tree. My favorite resource is: OID assignments from the top node. You can explore each tree and learn a bit more about OID structure. However these resources don't provide flexible way to automate this search. For example, I have OID = 1.3.6.1.5.5.7.3.1, but I don't know this OID friendly name. We can manually search this OID at such libraries and get the following output: id_kp_serverAuth. And if I need to get OCSP Signing OID. This task is harder. Fortunately there is a way to perform this translation in both directions: OID <—> Friendly Name.